Programmer Robin Seggelmann wrote the code for the part of OpenSSL that led to Heartbleed. Others reviewed it and gave it a thumbs-up, so he later added another piece of code for a new feature - this is what introduced the bug. Everyone missed the flaw, which went live in an official release on December 31, 2011. It's been around for a long time, but the change unfortunately was not recognized as dangerous until very recently. Davi Ottenheimer, Senior Director of Trust at EMC and author of Securing the Virtual Environment: How to Defend the Enterprise Against Attack, warns that the flaw had wide-reaching implications.
Heartbleed impacts just about everyone
"Heartbleed is a very small change made to small part of code that is widely used to protect data," Ottenheimer explains. "You might even say it is a flaw found in the infrastructure that we all rely upon for privacy. It is not an understatement to say it impacts just about everyone who has a password on the Internet. It's basically like discovering all your conversations for the past two years that you thought were private actually could have been heard by someone without any effort.
"This is very dangerous and why it had to be fixed immediately. Potential for harm can be huge when trusted systems have been operating with a flaw. It is hard to quantify who really has been impacted, however, because the damage is a leak rather than an outage. We could look for evidence of leaks now, because people trying to take advantage of the leak will leave particular tracks behind, but it is very unlikely tracks will have been preserved for such a long time, since the code change was made."
Small coding error, huge ripple effect
Although the code glitch was an accident, its reach has been huge, affecting about two-thirds of the web and sites like GMail, Facebook and OKCupid. While it's reassuring to know that Heartbleed is not the result of malicious hackers, the damage has been done and your information is unsafe.
"You can protect yourself going forward with two simple steps," advises Ottenheimer. "First verify the sites you use have fixed the Heartbleed flaw. Often they will push a notice saying they have addressed the problem, or they will post a notice that is easy to find on their site, or you can consult a list of sites that have been tested. Second, change your passwords."
An ounce of prevention
"Another way to protect yourself is to get involved in the debate. You could study the political science behind important decisions, such as when and how to trust changes, or the economics of human behavior. You also could study the technical details of the code to join the debate on how best to improve the quality that everyone may rely upon for their most trusted communication."
The bottom line is this: anyone can contribute to improving open source code. If this is your area of expertise, get involved and help make the Internet a safer place for everyone.